1. Yooba and GDPR, work being done
As a company, born and raised in Europe, Yooba is up to speed with the implications that the EU General Data Protection Regulation has for businesses.
We appreciate the privacy needs of Yooba users as well as their customers and, as such, have implemented, and will continue to improve, technical and organizational measures in line with the GDPR to safeguard the personal data processed by Yooba.
1.1 Internal processes, security and data transfers
A large part of GDPR compliance is making sure that there are procedures in place that ensure that data processes are mapped and auditable. Therefore, we have done the following:
- We have added elements to our application development cycle to build features in accordance with the principles of Privacy by Design.
- Any access to the Client Data that we process on your behalf is strictly limited.
- Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.
- We have established a process for onboarding third-party service providers and adopting tools that makes sure that these third-parties meet the high expectations that Yooba and its customers have when it comes to privacy and security.
1.2 Readiness to comply with subjects requests
Data subject’s ownership of their personal data is at the heart of the GDPR.
- We have created a readiness to respond to data subject requests to delete, modify, or export their data in a machine readable format.
- This means that our Customer Support Specialists along with the Engineers that assist them in their work are well-prepared to help in any matters involving your personal data.
Our Terms & Conditions are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements. As these are a vital part in the foundation for our relationship with you, it is important for us to, thoroughly and transparent, explain our commitments and your rights in these documents. Furthermore, we’re constantly mapping all our data processing activities to be able to comply with the GDPR accountability requirements.
All of the above is supported by continuous training efforts within the company so that the GDPR compliant processes we’ve put in place are followed. Sessions on data privacy and security are an integral part of our onboarding process and each department receives training that is tailored to their work involving personal data.
2. Yooba and GDPR, the set-up
Starting at the 25 May 2018 the enforcement of the European Union’s General Data Protection Regulation (GDPR), kicks in. This legislation has had great impact on anyone whose business involves the handling of personal data about EU residents or within the EU. Since personal data is essential for the Yooba solution, we too have been busy to make sure that we are compliant.
Here we provide an overview of the data-related roles and responsibilities in relation to working with the Yooba offering and explain our efforts to live up to the requirements of the GDPR.
2.1 Yooba as the data processor
The people you store in Yooba are your data subjects, and you as the customer are considered the data controller for this personal data. In Yooba’s Terms & Conditions we refer to this as Client Data.
Using our services means that you have allocated Yooba as a data processor to carry out certain processing activities on your behalf. According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article). This is where our Terms and Conditions comes in. This document also serves as our joint data processing contract.
2.2 Data transfers
Regarding data transfers outside of the EEA.
The GDPR establishes strict requirements for moving data outside of its scope of protection, this since it otherwise would be impossible for the law to fulfil its purpose.
The responsibilities for meeting these data transfer requirements assorts as follows:
- As our EU customers have a legal relationship with us, being a company within EU that comply under EU-regulations, the primary conduct is that the data transfer remains within the EEA.
- If Yooba engages sub-processors outside the EEA, we will also secure that we transfer the data lawfully.
- Yooba will keep an up-to-date list of sub-processors
- This list will also explain what data is involved in each transfer and how we have ensured that the data is adequately protected.
We do this by making sure that our third-party service providers have either certified under the EU-US Privacy Shield framework or signed the EU Commission’s standard contractual clauses for data transfers with us.
2.3 Yooba as the data controller
Furthermore, Yooba acts as the data controller for the personal data we collect about our customers and our registered users on our web-site and in demo-material around the Yooba platform.
- First off, the foundation for every action on the topic is that we only process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).
- Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)), this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
- Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
Examples of such ”legitimate interests”:
- Improving the Yooba offering to help you reach higher levels of efficiency.
- Making sure that your data and Yoobas solution are safe and secure.
Responsible marketing of the Yooba offering and its features.
As the controller for your personal data, Yooba is committed to ensure all your rights under the GDPR. If you have any questions or feedback, please contact our Data Protection Officer by email at email@example.com.